Search Engine Manipulation Fuels Surge in Malicious Teams and Google Meet Downloads

CyberProof Threat Hunters and Intelligence Analysts have identified a renewed and highly deceptive wave of search engine optimization (SEO) poisoning attacks beginning in mid-November 2025, designed to deliver the Oyster backdoor.

This latest campaign misleads users searching for legitimate office meeting tools by promoting fake download pages for Microsoft Teams and Google Meet.

Unsuspecting victims are tricked into installing malicious files such as “MSTeamsSetup.exe” and “Googlemeet.exe,” which secretly deploy the backdoor on compromised systems.

Researchers noted that the recent malware samples were newly compiled, built on updated infrastructure, and associated with code-signing certificates that had not been previously reported.

These certificates, later revoked, conferred a false sense of legitimacy, making the malicious installers appear safe to download and execute.

The Oyster malware, also known as Broomstick and CleanUpLoader, dates back to its initial discovery by IBM researchers in September 2023.

Over time, the malware has been repeatedly linked to espionage and financially motivated intrusion activity, particularly through campaigns impersonating trusted utilities and software installers.

In July 2025, CyberProof researchers documented Oyster spreading via malvertising campaigns that abused legitimate ad platforms to promote trojanized versions of IT tools such as PuTTY and WinSCP.

These lures effectively reached enterprise users who rely on search engines to locate software updates.

Arctic Wolf and other security vendors later confirmed similar activity, while Rapid7 investigations earlier in 2024 had uncovered tactics identical to those used to distribute Oyster variants under different certificates.

The recent campaigns represent a direct evolution of earlier efforts, demonstrating the threat actors’ continuous operational sophistication.

Technical Behavior and Indicators of Compromise

Analysis of the malicious installers revealed repeating patterns across multiple samples. One of the primary executables, MSTeamsSetup.exe, was signed with a certificate attributed to LES LOGICIELS SYSTAMEX INC., a Canadian company whose signing credentials were revoked following security reports.

Additional malware clusters were found using certificates issued to Reach First Inc. and S.N. Advanced Sewerage Solutions Ltd., suggesting a diverse network of certificate abuse likely involving stolen or fraudulently obtained credentials.

Upon execution, the trojanized installers deploy a malicious DLL named AlphaSecurity.dll into the %APPDATA%Roaming directory.

Persistence is achieved by creating a scheduled task named “AlphaSecurity” at C:WindowsSystem32TasksAlphaSecurity that runs every 18 minutes to keep the backdoor active even after system reboots.

The DLL facilitates command-and-control communication, enabling remote operators to execute arbitrary commands and maintain long-term access within infected environments.

Threat analysts identified several domains supporting the malicious distribution network, including tedbutz.com, nucleusgate.com, and the fake resource hxxps://www.google-meet-app[.]icu, which hosts downloadable files disguised as legitimate installers.

Multiple file hashes associated with the identified samples have been recorded on VirusTotal, confirming that these files belong to the same campaign cluster.

Analysis on sandbox platforms such as Triage further verified consistent dropper and task-creation patterns across the samples.

Security researchers emphasize that this form of SEO-driven malware distribution exemplifies the growing convergence between social engineering, web optimization abuse, and ransomware operations.

Some of the examined Oyster infections have been linked to the Rhysida ransomware group, underscoring the risk that these infections could escalate into broader network compromises.

Given these observed overlaps and the attackers‘ adaptation of infrastructure and code-signing methods, experts predict that the Oyster threat cluster will remain active throughout 2026.

Organizations are advised to enforce stricter controls over software acquisition sources, monitor scheduled task creation, and investigate all executables signed by lesser-known or revoked certificate issuers to mitigate exposure to this persistent, evolving backdoor threat.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Search Engine Manipulation Fuels Surge in Malicious Teams and Google Meet Downloads appeared first on Cyber Security News.